(e) : ( | QUALYS SECURITY CONFERENCE 2020 
20 


Securing the Digital... 
Transformation with DevOps. A 


Cloud & Container Security Automation - 


Badri Raghunathan 


Director of Product Management, Qualys, Inc. 


LI 


The Changing Role of Security 


Security selects, builds the security tooling 


DEPLOy DevO ps 
operationalize 
the security 
tooling 
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Customer Data 
(Plis, Credit Cards etc) 


Retail Banking App Customer Social Stock Trading App 


Security Challenges in the Cloud 


Lack of visibility or control on cloud resources 
Misconfiguration of cloud services 
Multi cloud environment magnifies security challenges 


Lack of a unified security toolset/controls for on-prem & cloud workloads 
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Securing Your Cloud Deployments 


laaS PaaS SaaS 


EC2 Instance, Azure RDS, Azure SQL Google Suite, Office 365 
VM, GCP Instance Database, Elastic Bean 
Stalk, Containers 


Cloud Infrastructure 


S3 Bucket, Security Group, Network Security Group, 
Storage Blobs, Load Balancers, Firewall Rules 
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Cloud Security 


Securing Cloud Workloads 


Hardening and Standardizing 


Vulnerability Management Policy Compliance Application Security 


e Asset Inventory & * Policy Compliance * Web Application 
Vulnerability Assessment Scanning 
(Internal & Perimeter) * File Integrity 
Monitoring * Web Application Firewall 


* Prioritization using Threat 
Protection * API Security* 


* Indicators of Compromise 


* Patch Management 
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Vulnerability Analysis in CI/CD 


Blocking vulnerable applications/images entering production 


AUTOMATED 
O è EER — "5 
> b Jenkins —> 0 b PRODUCTION 
</> O USAGE 
= m QUALYS 
DEVELOPERS Frog cado VULNERABILITY TO 
LT 


Supports evaluating - IPs/Hosts, Cloud Instances, and Web Applications 
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Rich Visibility with CloudView 


Visibility into your cloud resources 


Identify public facing/perimeter resources an SE —_ | — 
yp 8p > . ee e E 
. vv < NS 


SOL Server Database ^^ Network Securty Gr. 


Resource usage by regions/accounts. 


View associations to identify the blast 
radius 
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Compliance Assessment 


. . . © Oualys. 
Identify misconfigured resources A RE : 
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Total Failures Total Failures Total Failures 
7195 520 624 
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AZURE TOP 5 FAILED CONTROLS GCP TOP 5 FAILED CONTROLS 
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Correlate with Vulnerability Data 


Identify vulnerable instances 
with public IP and associated 
with the misconfigured security 


groups 


Use vulnerability information 
for cloud instances to prioritize 
threats better 


@ Qualys. Enterprise 


CloudView 


zon Web Services v 


28 


Total Instances 


REGIONS 

N. Virginia 16 
London 

Mumbai 5 


List View 


DASHBOARD 


RESOURCES 


MONITOR 


POLICY REPORTS 


CONFIGURATION 


vulnerability.threatIntel.easyExploit:true and securitygroup. inboundRule. ipv4Range:0.0.0.0. , 


Last 24 Hrs 


0 


Without Agents 


* Resource Summary 


i-09877e1ab68f05330 


demo-aws-ue1-windows-2016-public-B 


i-03c8e8468ca299184 
demo-aws-ew2-windows-2016-public-C 


i-0e8258f50a903cc4f 
demo-aws-ew2-ubuntu-16-public-C 


i-0de3c0e9cc738bcf0 
demo-aws-ue1-ubuntu-16-public-B-2 


i-08ad24b40b2eaf29a 


demo-aws-ew2-windows-2019-public-C 


i-Dab2ff3ca465eef42 
demo-aws-ue1-centos-7-private-B 


i-06141ddd375f62144 


demo-aws-mumbai-windows-21 


016-publi 


i-0afd7b51095e0db68 
demo-aws-ue1-windows-2008-public-B 


636123215182 


636123215182 


636123215182 


636123215182 


636123215182 


636123215182 


636123215182 


636123215182 
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With Public IP. 


N. Virginia 


London 


London 


N. Virginia 


London 


N. Virginia 


Mumbai 


N. Virginia 


t2.medium 


t2.medium 


t2.medium 


t2.micro 


t2.medium 


t2.medium 


t2.medium 


t2.medium 
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Docker Hosts 
1-280f 28 
Running October 13, 2019 4:46 = 
AM 
Running October 12, 2019 8:44 


Running 


Running 


Running 


Running 


Running 


Running 


PM 


October 12, 2019 8:44 
PM 


September 19, 2019 
1:02 AM 


August 27, 2019 7:48 
PM 


August 27, 2019 7:48 
PM 


August 26, 2019 7:41 
AM 


August 24, 2019 7:31 
PM 
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Serverless Visibility 


@ Oualys. Express 


CloudView + DASHBOARD 


RESOURCES 


MONITOR 


Serverless Visibility - 
Inventory support for 


ESELS List View 


POLICY 


REPORTS 


NEW 


CONFIGURATION 


H 


2X resource. type: "Lambda Function” 


Last 24 Hrs 


AWS Lambda functions 01 


Total Lambda Functions 
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CloudView + 


. . a Amazon Web Services v 
Best practices policy for | uses 
N. Virginia 10 
e A Ohio 7 UNCTION NAME ACCOUN 
identifying mou 11 
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RUNTIME 
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esa RDS Instance Stop 38303 RU 
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DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 


policy.name:"AWS Lambda Best Practices Policy" 


98 


99 


100 


101 


102 


1.61K | 948 667 497 48 
Total Evaluations Pass Fail High Mediurr 


~~ Ensure Lambda function has tracing enabled EEN N ~ Lambda Fun 
Policy : AWS Lambda Best Practices Policy 
Ensure that Lambda Function is not using An IAM role for more than one La.. Lambda Fun 
Policy : AWS Lambda Best Practices Policy 
Ensure that Multiple Triggers are not configured in Lambda Function rz Lambda Fun 
Policy : AWS Lambda Best Practices Policy 
Ensure that Lambda Runtime Version is latest and not custom EZ: Lambda Fun 
Policy : AWS Lambda Best Practices Policy 
Ensure that Lambda function does not have Admin Privileges EER Lambda Fun 
Policy : AWS Lambda Best Practices Policy 
Ensure that Lambda function does not have Cross Account Access Lambda Fun 


Palin + AWG 1 amhda Ract Practicas Dalinu 
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NEW 


Built-in Security with Cloud Providers 


S e n d f | n d | n S | nt O A Z U r e AWS ( C P Home > Security Center - Recommendations > Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys) (Preview) 
g , , Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys) (Preview) 


Security Hubs — ou 


^. Security Checks 


Total vulnerabilities Vulnerabilities by severity Registries with 


34 Q High 


Low 


28 WEEN cspmsme 
= 


Access & investigate findings from within p 


| & Search to filter items. 


the Cloud Provider Security console E 


371805 
256655 
256647 
256654 
256648 


Native integration of vulnerability = 


256629 


assessment of hosts, containers = 


256658 


(MSFT Azure - Powered by Qualys) = 


Security Check 


Docker FollowSymlinkInScope Function Race Condi... 


CentOS Security Update for binutils (CESA-2019:20... 


CentOS Security Update for curl (CESA-2019:1880) 


CentOS Security Update for bind (CESA-2019:2057) 


CentOS Security Update for libssh2 Security Update... 


CentOS Security Update for glibc (CESA-2019:2118) 


CentOS Security Update for vim Security Update (C... 


CentOS Security Update for openssl (CESA-2019:23... 


CentOS Security Update for curl (CESA-2019:2181) 


CentOS Security Update for procps-ng (CESA-2019:... 


Category 
Local 
Centos 
Centos 
CentOS 
CentOS 
Centos 
Centos 
Centos 
Centos 


CentOS 


Native Azure Host, Container Scanning (Powered by Qualys) 
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Container 
Security 


Security across the Container Lifecycle 


PRE-DEPLOYMENT PHASE POST-DEPLOYMENT PHASE 


(n 
$ 
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& Jenkins fr diis 
“¿Bamboo y m docker Fi 5 o. 


BUILD ) SHIP ) RUN ) HOST 


—— | a — 


9 . Cloud Agent and/or 
© Container Sensor © A CRS and Container Sensor Scanner Appliances 
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CRS - Container Runtime Security 


Scanning Containers in CI/CD 


DevOps friendly container scanning using a plug-in 
Actionable, detailed, high-accuracy vulnerability info for DevOps 


in 


AUTOMATED 
O e aal — sr 
[E^] n o DOCKER 
</> p O p és Jenkins > © p REPOSITORIES 
paar VULNERABILITY 
EE FA 


DEVELOPERS 


@ Oualys. 


Actionable findings for Dev, DevOps 


Jenkins pipeline-project 478 Qualys Report For e8d112ff7588 


@ Qualys BUILD REPORT - e8d112ff7588 


Build Summary 


Build Status: Failed Image ID: 
Vulnerabilities 
Tags: latest Size: 828 MB 


Installed Software 


Layers Build Summary 


The vulnerabilities count by severity for image id e8d112f17588 exceeded one of the configured threshold value 
Configured : Severity 1 > 0; Severity 2 > 0; Severity 3 > 0; Severity 4 > 0; Severity 5 > 0 
Found : Severity 1: 0, Severity 2: 1, Severity 3: 11, Severity 4: 2, Severity 5: 0 Qualys Report For e8d112117588 


Vulnerabilities Trend Confirmed Vulnerabilities (10) I N S TA L E E D S O FT WA R E 


is E Sev 5 (0) Show 10 entries Search: ‘ap 176259 


ev 4 (1) 
5 Bi Sev3 (9) Name Installed Version Fixed In V 

| E Sev 2 (0) 
© Sw5 Sev4 Sev3 Sw2 Sw! Sect) libmagickwand-dev A 8:6.9.7.4+dfsg-11+deb9u3 8:6.9.7.4+ 

B Confirmed vulnerabilities in current build 
Comparing with build 477 libmagickwand-6-headers Ay 8:6.9.7.4+dfsg-11+deb9u3 8:6.9.7.4+ 
libmagickcore-dev Ay 8:6.9.7.4+dfsg-11+deb9u3 8:6.9.7.4+ 
Potential Vulnerabilities (4) Patchability 

libmagickcore-6-headers Å 8:6.9.7.4+dfsg-11+deb9u3 8:6.9.7.4+ 


AR. 49 imagemagick-6.q16 Ay 8:6.9.7.4+dfsg-11+deb9u3 8:6.9.7.4+ 
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NEW 


Visibility into Container Infrastructure 


Free inventory for all your container NETT 
infrastructure ps 


Container Summary 


— IE I eenen : UIT E = 
Visibility into containers via Scanner, p — 
Cloud Agent, Container Sensor — 


13 Tota 
B brees7o 


2013b9e3f6bd 


* COMPLIANCE 


File Integrity Monitoring 


Y SENSORS 


Tracking DockerHub official images E 


Alert Notification. 


> N B Q 
ire} 


Upgrade for security across DevOps 
pipeline 
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Deeper Visibility Into Containers 


Container Security DASHBOARD ASSETS EVENTS CONFIGURATIONS Indi 


CS v 


Inventory & security posture widgets — 
* Count of images, containers Ton maas TOL CONTANERS 
* Containers by state 

* Vulnerable images na id 


Personalize and add custom widgets 


IMAGE DISTRIBUTION BY REGISTRY CONTAINER DISTRIBUTION BY STATE 


docker.io 260 


art-hq.intranet.qualys.com:5001 55 
520985521435.dkr.ecr.ap-southeast-1.amazonaws.... 1 


68 
DELETED RUNNING 
ROGUE CONTAINERS (BY SOFTWARE DIFFERENCES) ROGUE CONTAINERS (BY VULNERABILITY DIFI 
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Correlating with Vulnerability Data 


Container Security DASHBOARD ASSETS EVENTS CONFIGURATIONS India Naccount (quays_nn) 


Assets Images Meene 


Search based 
on all attributes 


vulnerabilities.severity:"Severity 5" and repo.registry:"docker.io" 


68 1-50 of 68 


Total Images 


docker.io elasticsearch Feb 06, 2018 | latest Ü 9 
Image Id: 7b3c18d8f363 On Hosts: 


. . 
P . k LABELS docker.io redis Feb 06, 2018 I latest 1 3 I mage I nfo 
reset q u IC NGINX Docker M... 3 Image Id: de560ba5403e On Hosts: 1 Oo 
Http://Www.Stind... 1 e. 1 1 
searc h fi Ite rs GPLv2 1 docker.io kibana Feb 06,2018 | latest 0 3 Reg Ist ry! nfo 
/Dockerfile m Image Id: 9ef680b9e227 On Hosts: 1 = - - 
vM. cit 1 * Containers for this 
- Ident ify images CentOS Base Ima... 1 docker.io node Feb 01,2018 = [ees 0 3 
Opsxca@Strm.Sh 1 —€—À TT image 
b a | ica ti on Bad-Dockerfile 1 
y p p Centos 1 docker.io httpd Jan 26, 2018 I latest 1 3 
Reference Docke... 1 Image Id: 2e202f453940 On Hosts: 1 ——— —— e Vu | nera bi | ity 
labels Htips;//Github.C... 1 
Show less orani cue = g 
Image Id: e25e005ebec1 On Hosts: 1 O mm postu re? 
REGISTRY 
docker.io solr Jan 19, 2018 J latest 0 14 e 1 
Docker.lo 68 Image Id: 0ee0d104030e On Hosts: 2 — 11 Ea sy d ri | | down fo r 
Art-Ha.Intranet.Q... 1 n 
docker.io tomcat Jan 18, 2018 I latest 0 13 com plete Inve nto ry 
VULNERABILITIES Image Id: 66bbed06c8cd On Hosts: 1 ia] 
EX 2 ES docker.io kibana Jan 17, 2018 I latest 0 10 
poem 65 Image Id: 6ded4c70c32d On Hosts: 1 p 
Severity 3 59 
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Detecting Runtime Dr 


Container Security 


422 


Total Containers 


VULNERABILITIES 
Severity 5 
Severity 4 
Severity 3 
Severity 2 


STATE 

RUNNING 
DELETED 
STOPPED 
CREATED 


DRIFT 


Vulnerability 
Software 


PRIVILEGED 


false 
true 


ROOT 


true 


110 
133 
197 
173 


18 


Hosts Images Containers 


Q Search for containers... 


18 


Root Containers 


k8s_kube-proxy_kube-... 


k8s_kube-proxy_kube-... 


k8s_omsagent_omsage... 


k8s_kube-proxy_kube-... 


k8s_omsagent_omsage... 


k8s_omsagent_omsage... 


k8s_omsagent_omsage... 


k8s_tunnel-front_tunne... 


Registries 


HOME 


89 


DASHBOARD 


Privileged Containers 


Nov 01, 


Nov 01, 


Nov 01, 


Nov 01, 


Nov 01, 


Nov 01, 


Nov 01, 


Nov 01, 


2019 


2019 


2019 


2019 


2019 


2019 


2019 


2019 


ASSETS 


CONFIGURATIONS 


0 


Containers detected without CS Sensor 


Containers in Drift 


1-50 of 422 


15 hours ago 


15 hours ago 


15 hours ago 


15 hours ago 


15 hours ago 


15 hours ago 


15 hours ago 


15 hours ago 


E 


Identify potential breaches in containers 


“Drift” Containers, differ from their parent 
Images by vulnerability, software package 
composition, behavior, etc 
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Hardening, Response for Containers 


Qualys layer for 
Container Runtime 
Security 


Breach 


Indicators of 
Compromise 
(e.g. File, Network 
Activity etc) 
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NEW 


Container Runtime Security 


Integrated into Qualys Platform 


@ 


Granular security policies to control 
OS 


file, network, process behavior 


Function level firewall for containers 


(e) Jauiequo) 
(o) JQUIEZUOI 
(o) JauIeJU0D 


€— View Details: e910f86a4411 


Built-in policies from Qualys Threat 
Research 


Behaviorlog ^ /sbin/init 


04:26:26AM 
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Towards Automated Remediation 


Towards Seamless Visibility 
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Global IT Asset Inventory 


Across application stack (Hosts, 
Kubernetes Pods, Containers, 


Serverless) 
Correlate cloud inventory data = ea po mp E 
with containers nt m =a 
O | 
- Uitte 
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Securing Your Cloud Deployments 


laaS PaaS SaaS 


EC2 Instance, Azure RDS, Azure SQL Google Suite, Office 365 
VM, GCP Instance Database, Elastic Bean 


i SaaS S ity (A 
B o Stalk, Containers aaS Security (Aadya) 


Cloud Infrastructure 


S3 Bucket, Security Group, Network Security Group, 
Storage Blobs, Load Balancers, Firewall Rules 


i ORACLE 
AWS / 4 Azure 9 O M D" CLOUD — SOFTLAY=R 
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Qualys GitHub for DevOps 


Automation scripts for sensors 
Best practice process automation 


Open source community around 
Qualys ecosystem 


https://github.com/qualvs 
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Thank You 


Badri Raghunathan 
braghunathan@qualys.com 


